Keywords: CouchDB - Amazon Web Services - Technical issue - CredentialsDescription: It took me several hours to diagnose this critical security flaw, and I've tracked it down to the Bitnami config being based on CouchDB 2.0 and CouchDB 2.1 behaving differently due to a major bug. Here's my story...

I installed a Bitnami image of CouchDB 2.1.1 on AWS. My project is early in development, so there's (luckily) no critical data in the database yet. I left it pretty insecure initially, but now I'm getting closer to shipping my app so I started digging into CouchDB security (HTTPS, anonymous access, etc.).

After a few weeks or running CouchDB with lazy security I was browsing the CouchDB web interface and I noticed there were 2 new _users documents I hadn't created. I scratched my head. I Googled the usernames I found in my CouchDB and after lots of internet digging found related accounts on hacker/cracking forums. This was alarming. Sure, somebody could have port sniffed that I was running PouchDB on the default port without HTTPS, but how were they able to insert a record into _users? I thought I had ensure anonymous access was disabled. So I started trying to replicate.

I'm able to create a user without any authentication. This is all while having this in my CouchDB config:

[couch_httpd_auth]
require_valid_user = true

Based on the docs, its seems this option should disable anonymous access to CouchDB, but it doesn't. Then I find this horrible CouchDB bug. In the major bug report, it's described that couch_httpd_auth.require_valid_user in Couch 1.6.1 has changed to chttpd.require_valid_user in Couch 2, but the default.ini for Couch 2 wasn't updated. This was finally fixed in Couch 2.1 (by fixing the documentation).

The problem with Bitnami is: they're shipping a Couch 1.6 version of the config with Couch 2 version of the software. Because this was poorly documented at the time, it's a mistake that falls mostly on the Couch docs, but it should be fixed now in Bitnami's config. Many users probably think they've disabled anonymous access but haven't.

Please update the Bitnami CouchDB config to be based on the 2.1+ default config vs. the 2.0 default config. This is a critical security update.

To make matters worse, when people Google for anything involving CouchDB docs (i.e. couchdb require_valid_user), the incorrect 2.0.0 docs always rank highest, meaning a lot of people are lining up Bitnami's out-of-date config with out-of-date docs and thinking it's setup right without testing it.

To be clear: The fix is to follow the CouchDB 2.1.1 docs and to put require_valid_user = true in the [chttpd] and [couch_httpd_auth] sections.

You are right about we are not adding "require_valid_user" for the [chttpd] section and we are working on releasing a new version as soon as possible.

The issue is not in the "default.ini" file, we checked we are using the default files from CouchDB official source code. CouchDB recommends to not change that file http://docs.couchdb.org/en/stable/config/intro.html so Bitnami solutions only change the "local.ini" file. We also checked we are not shipping old config files.